NULL pointer dereference in imx-mipi-csis driver when starting stream

Frieder Schrempf frieder.schrempf at kontron.de
Tue Feb 14 08:47:07 PST 2023 

Hi everyone,

after solving the previous devicetree and driver issues with the media
pipeline on i.MX8MM using a RPi v2.1 camera module (imx219) as sensor, I
now try to get an image from the sensor and run into the next problem.

Below you can find the commands I use and the output I'm getting. Maybe
someone can see straight away what's wrong or at least can make a guess
before I start diving into the code. ;)

By the way: This happens on v6.1.11 and 6.2-rc8.

Thanks
Frieder

###

I'm setting up the pipeline like this:

media-ctl -d /dev/media0 -V '"imx219 1-0010":0[fmt:SBGGR10_1X10/640x480
field:none]'
media-ctl -d /dev/media0 -V
'"csis-32e30000.mipi-csi":0[fmt:SBGGR10_1X10/640x480 field:none]'
media-ctl -d /dev/media0 -V '"csi":0[fmt:SBGGR10_1X10/640x480 field:none]'

This is how "media-ctl -p" looks like afterwards:

Media controller API version 6.2.0

Media device information
------------------------
driver          imx7-csi
model           imx-media
serial
bus info        platform:32e20000.csi
hw revision     0x0
driver version  6.2.0

Device topology
- entity 1: csi (2 pads, 2 links)
            type V4L2 subdev subtype Unknown flags 0
            device node name /dev/v4l-subdev0
        pad0: Sink
                [fmt:SBGGR10_1X10/640x480 field:none colorspace:srgb
xfer:srgb ycbcr:601 quantization:full-range]
                <- "csis-32e30000.mipi-csi":1 [ENABLED,IMMUTABLE]
        pad1: Source
                [fmt:SBGGR10_1X10/640x480 field:none colorspace:srgb
xfer:srgb ycbcr:601 quantization:full-range]
                -> "csi capture":0 [ENABLED,IMMUTABLE]

- entity 4: csi capture (1 pad, 1 link)
            type Node subtype V4L flags 0
            device node name /dev/video0
        pad0: Sink
                <- "csi":1 [ENABLED,IMMUTABLE]

- entity 10: csis-32e30000.mipi-csi (2 pads, 2 links)
             type V4L2 subdev subtype Unknown flags 0
             device node name /dev/v4l-subdev1
        pad0: Sink
                [fmt:SBGGR10_1X10/640x480 field:none]
                <- "imx219 1-0010":0 []
        pad1: Source
                [fmt:SBGGR10_1X10/640x480 field:none]
                -> "csi":0 [ENABLED,IMMUTABLE]

- entity 15: imx219 1-0010 (1 pad, 1 link)
             type V4L2 subdev subtype Sensor flags 0
             device node name /dev/v4l-subdev2
        pad0: Source
                [fmt:SRGGB10_1X10/640x480 field:none colorspace:srgb
xfer:srgb ycbcr:601 quantization:full-range
                 crop.bounds:(8,8)/3280x2464
                 crop:(1008,760)/1280x960]
                -> "csis-32e30000.mipi-csi":0 []

Then I try to start a stream using:

v4l2-ctl -d /dev/video0
--set-fmt-video=width=640,height=480,pixelformat=RG10 --stream-mmap

and run into this NULL pointer dereference error:

Unable to handle kernel NULL pointer dereference at virtual address
00000000000000b0
Mem abort info:
  ESR = 0x0000000096000004
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x04: level 0 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000004
  CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=00000001039d2000
[00000000000000b0] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in: bluetooth ecdh_generic ecc rfkill ipv6 smsc smsc95xx
usbnet crct10dif_ce imx_sdma
CPU: 1 PID: 539 Comm: v4l2-ctl Not tainted 6.2.0-rc8-ktn #1
Hardware name: Kontron BL i.MX8MM (N801X S) (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mipi_csis_s_stream+0x28/0x500
lr : call_s_stream+0x28/0x64
sp : ffff80000a6bb9c0
x29: ffff80000a6bb9c0 x28: ffff0000c4618800 x27: 0000000000000001
x26: ffff0000c0e459d0 x25: ffff0000c0e45a80 x24: ffff0000c0e459e8
x23: 0000000000000001 x22: ffff0000c0e450a0 x21: ffff0000c0e459e0
x20: ffff0000c0fe18b0 x19: ffff0000c0fe1880 x18: ffff0000ff7c2e80
x17: 0000000000000040 x16: fffffc0002a17008 x15: 0000000000000100
x14: 0000000000000001 x13: 00000000f0000080 x12: ffff0000ff7b1cd0
x11: ffff0000ff7b1b00 x10: 0000000000000000 x9 : 0000000000000000
x8 : ffff80000abc2000 x7 : 0000000000000000 x6 : ffff0000c4619408
x5 : ffff0000c0e459d0 x4 : 0000000000000000 x3 : ffff800008a1ba60
x2 : ffff800008a4c680 x1 : ffff800008eb36f0 x0 : 0000000000000000
Call trace:
 mipi_csis_s_stream+0x28/0x500
 call_s_stream+0x28/0x64
 imx7_csi_s_stream+0x464/0x830
 call_s_stream+0x28/0x64
 imx7_csi_video_start_streaming+0x150/0x2b0
 vb2_start_streaming+0x7c/0x1c0
 vb2_core_streamon+0xf0/0x260
 vb2_ioctl_streamon+0x5c/0xb0
 v4l_streamon+0x24/0x30
 __video_do_ioctl+0x184/0x3d0
 video_usercopy+0x20c/0x644
 video_ioctl2+0x18/0x2c
 v4l2_ioctl+0x40/0x60
 __arm64_sys_ioctl+0xa8/0xf0
 invoke_syscall+0x48/0x114
 el0_svc_common.constprop.0+0x44/0xfc
 do_el0_svc+0x3c/0xc0
 el0_svc+0x2c/0x84
 el0t_64_sync_handler+0xbc/0x140
 el0t_64_sync+0x190/0x194
Code: a9025bf5 34001921 f9412e60 f9415661 (f9405800)
---[ end trace 0000000000000000 ]---

More information about the linux-arm-kernel mailing list